Splunk Search

GeoIP app not working correctly


Hi, I downloaded (installed via Splunk GUI) and am testing out the GeoIP app on my 4.1.4 search head. I'm having an issue though. When I run a search against my proxy data I get no returned information from the GeoIP lookups. The search command I'm running is:

index=weblog | lookup geoip clientip as ip

I do know that after downloading the app I restarted Splunk. I get no errors in logs or at the GUI when I'm issuing the searches.

Any idea on what I'm doing wrong?

Thanks! Steve


Thanks! The localop did the trick!

0 Karma


hi @castle1126 - instead of adding a new answer (like you'd do on a traditional forum), on Splunk Answers you'll want to add a comment on the correct answer and "accept" it by clicking the checkmark. Thanks!

0 Karma

Splunk Employee
Splunk Employee

I use geoip all the time, and I have never had any problems with the expense of the operation.

Try using localop:

index=weblog | localop | lookup geoip clientip as ip



This is an expensive (resource) task on my system. In most of my events I will have at least 2 IP addresses that are extracted via CSV field extraction - which give pretty fast field extractions. IPLocation trying to find the IP in the _raw of these events doesn't come across as optimal. Plus iplocation doesn't give me the opportunity to "give" the lookup an IP address.

0 Karma


Splunk now has a command for ip lookups built in -- iplocation. This might be easier to use than the GeoIP app.

Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...